If the directory/file paths specified in this guide do not exist in your WSO2 product, see Directory Structure of WSO2 Products to locate the paths applicable to your product.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated typo in "Enabling SSL protocols and ciphers in ThriftAuthenticationService" step1


The transport-level security protocol of the Tomcat server is configured in the <PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file. By default, "TLS" is configured as the SSL protocol for HTTPS communication , by setting the sslProtocol="TLS" attribute in the catalinathe catalina-server.xml filexml file. Specifying TLS as the SSL protocol means ensures that all TLS versions, as well as SSL protocol versions, are supported. However, due to the Poodle Attack, it is necessary to make sure that only TLS protocol versions are enabled.

Note that , in some WSO2 products, such as WSO2 Enterprise Integrator (ESB profile) and WSO2 API Manager, pass-thru transports are enabled. Therefore, to disable SSL in such products, the axis2.xml file stored in the <PRODUCT_HOME>/repository/conf/axis2/ directory should also be configured.


  1. Add the following configurations in the <CARBON_SERVER>/repository/conf/identity/thrift-authentication.xml file as sub-elements of the root <Server> element.

    Code Block
    <Ciphers>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Ciphers> The following additional cipher suites could be also given if JCE Unlimited Strength Jurisdiction Policy is enabled in Java. 

    Tip: You can also add the following additional cipher suites to the <Ciphers> property if JCE Unlimited Strength Jurisdiction Policy is enabled in Java.

    Code Block

    If you wish to remove TLSv1 or TLSv1.1, you can do so by removing them as values from the <SSLEnabledProtocols> property.

  2. Restart the server. 

Enabling TLSv1.1/TLSv1.2 for products with JDK 1.7

The TLS protocol is set to TLSv1.0 (by default), in WSO2 products running on JDK 1.7. You cannot configure this using the catalinathe catalina-server.xml file or the axis2.xml file as we do with products based on JDK 1.7. Therefore, you need to enable TLSv1.1 and TLSv1.2 globally , by setting a system property.

  1. Download the following JARsartifacts:
  2. Copy the wso2-ssl-socket-factory-provider-1.0.0.jar file to the <PRODUCT_HOME>/lib/endorsed directory.
  3. Copy the wso2-ssl-security file to the <PRODUCT_HOME>/repository/conf/ directory.
  4. Open the product startup script (wso2server.sh for Linux, or wso2server.bat for Windows), which is stored in the <PRODUCT_HOME>/bin directory.

  5. Add the following system properties to the script:

    Code Block
    -Djdk.tls.client.protocols="TLSv1.1,TLSv1.2" \
    -Djava.security.properties=$PRODUCT"$CARBON_HOME/repository/conf/wso2-ssl-security" \
  6. Start the server.

Disabling weak ciphers


  1. Open the <PRODUCT_HOME>/repository/conf/axis2/axis2.xml  file.
  2. Make a backup of the axis2.xml  file and stop the WSO2 product server.
  3. You need to add the PreferredCiphers parameter under the "Transport Ins (Listeners)" section along with the list of relevant cipher suites.

    Code Block
  4. Start the server.
  5. Test the pass-through transport using the following command with the corresponding port:

    Code Block
    $ java -jar TestSSLServer.jar localhost 8243